RBN – Out with the New and in with the Old – Mebroot

The Russian Business Network (RBN) is using one of their usual deceptive approaches of confusing by the use of old domains and recycling exploit techniques, this is the case with Mebroot. There has rightly been a great deal of press (see links below) concerning Mebroot as identified by Symantec on Jan 8th 08. This is a rootkit exploit that overwrites part of a computer's hard drive called the Master Boot Record (MBR). This is still deadly and a difficult exploit with is its ability, once established and undetected it confound most anti-virus software, the purpose is to hijack the user’s PC which will then redirect to download other exploits to steal banking information and ID theft. Good news is there are some straight forward detection and removal tools e.g. GMER – also see on their website a great write up of how a rootkit actually works.




So what is new? Well the exploit sites are now using a fast-flux P2P botnet and the exploit is polymorphic i.e. the ability to alter its form and mutate. But this approach is the same old stuff by a different name, it is: Torpig, Anserin, Gromozon, etc……even using some of the old domains for distribution. So where does the “new” exploit names come from, unfortunately us. Our constant reductionist approach to BadWare is utilized by RBN to confound and we play right into their hands, every time we rename their stuff it makes it easier for them to blend into the confusion. The old is forgotten or not reported and they reuse the old stuff all over again, when we all start using a commonly accepted holistic linguistic approach to the problem, we may win this war.


For details a “small” sample, especially for our Italian Gromozon readers:


This particular example callsolutions(dot)biz is on one of our old friends Pilosoft AS26627, with a bunch of RBN’s “very young” erotic sites sharing the name server – a(dot)ns(dot)joker(dot)com.

As a comparative link, and no RBN blog article would be complete without mention of the RBN’s US division – kopythian(dot)com - Atrivo AS27595; AKA Inhoster, Intercage, and pecb(dot)cc at Atrivo’s Cernal AS36445.




Also just so no-one could say we are picking on Atrivo or where is the RBN link? See the following “joining up the dots” of a very small sample out of 100’s of exploit domains on the same Atrivo name server managedns1.estboxes.com:




2007postcards(dot)com (Storm),
malwareburn(dot)com (rogue anti-virus),
procodec(dot)com (fake codec),
virusheal(dot)com (rogue anti-virus),
xxl-cash(dot)com (RBN payment site) –
plus a cryptic graphic for our readers from the RBN so they know this is not guesswork.






IP figures:







Gmer - anti-rootkit download

Gmer - how a rootkit works

Symantec - Mebroot article

BBC - Mebroot

RBN – 365fastcash, Panama, and 1488 RU

As regular readers know the Russian Business Network (RBN) originally utilized an extensive virtual base in Panama (Nevacon), we can now report they are back. The new hive centers on AS26426 Optynex Telecom Sa, Calle 53, Piso 18, Panama City, Panama) Phone: 210-9900 and cybercastco.com name servers (special thanks to Jim McQuaid and Snort expertise).

There are numerous domains but to select a sample of domains, in this article we can focus on two, 365fastcash(dot)com and Jidov(dot)net. It is also pleasing to show these are already encompassed within RBN Snort Rules on EmergingThreats.net (bleeding-rbn-BLOCK.rules)

365fastcash has been delivering a truly blended threat by using an automated telephone dialing system to ask people for the last 4 digits of their social security number. This was flooding switchboards at a well known US charitable organization a few days ago, and was obviously the first of many.



Interestingly there are two sub-domains “back1.365fastcash” and “bavk1.365fastcash” both are similar structures to earlier reported 76service and 76team. The difference on this occasion the likely personal ID data storage is on direct links from the sub-domains to Level3 Communications; box(dot)net, a service that provides the ability to collaborate and share files online. No doubt Level 3 will be able to inform US authorities of the content of these data files, and terminate such services. Further IP and SSL details below.


Jidov(dot)net provides an interesting political twist for the RBN as this is the safe hosting location for 1488(dot)ru. To those who are not aware 1488 RU is the supposedly banned, violent, and very well financed Russian Nazi group. The 14 represents the 14-word slogan: "We must secure the existence of our people and a future for White children” and 88 represents eighth letter of the alphabet, with HH standing for Heil Hitler. The question now arises does this represent the source of the RBN’s political views or just an expensive bullet proof (was) hosting.

Forum Intro:

(RU) Друзья, мы рады сообщить Вам, что теперь сайт 1488.ru доступен из доменной зоны Jidov.net . Развитие проекта идет полным ходом. Благодарим Вас за внимание к нашему ресурсу. Скоро мы сможем предложить Вам регистрацию доменов третьего уровня в наших доменных зонах (Ваш ник.1488.ru и Ваш ник.jidov.net). Так же, мы готовы предложить вам размещение банеров на страницах нашего ресурса.




(EN) Friends, we are glad to report to you that now the site to 1488.ru is accessible from the domain zone Jidov.net. The development of design occurs full speed. We thank you for the attention to our resource. Soon we will be able to propose to you registration it is pre-barter the third level in our domain zones (your nik.1488..ru and your it nik..jidov.net). So, we are prepared to propose to you the arrangement of banners for the pages of our resource.




Further details: 365Fastcash - 200.115.173.215 - Registrar: KEY-SYSTEMS GMBH, Whois Server: whois.rrpproxy.net Name Server: NS1.CYBERCASTCO.COM, NS2.CYBERCASTCO.COM: 06-dec-2007


SSL Information for 200.115.173.215





SSLv2

Yes

Cipher Spec: SSL2_RC4_128_WITH_MD5 [010080]
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [030080]
Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 [0700c0]
Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 [060040]
Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 [020080]
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [040080]
Connection ID: 26ad291530a4cc910e9c066877bda0f0

SSLv3

Yes

Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]

TLS 1.0

Yes

Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]







JIDOV(dot)NET - 200.115.171.200 Registrar: ESTDOMAINS; Name Servers: NS1.CYBERCASTCO.COM, NS2.CYBERCASTCO.COM, 11-nov-2007

SSL Information for 200.115.171.200




SSLv2

Yes

Cipher Spec: SSL2_RC4_128_WITH_MD5 [010080]
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [030080]
Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 [0700c0]
Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 [060040]
Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 [020080]
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [040080]
Connection ID: 85feb66767c2560349e7409f2b25118f

SSLv3

Yes

Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]

TLS 1.0

Yes

Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]




RBN - Storm Botnet, the Changing Chessboard

In a follow up to the earlier Russian Business Network (RBN) "New and Improved Storm Botnet for 2008" the chessboard changes yet again. In this game of chess our opponents started over Christmas with a full frontal attack, but have already now switched to a flanking moves. Perhaps on this occasion the community may be able to slow down the advance to force a draw or maybe even win this particular game of chess?



The key is to understand and combat the Storm 2008's innovative elements and attempt to quantify progress of the game. With the aid of early analysis by Thorsten Holz / The German Honeynet Project and based on limited initial data we have attempted to produce a predictive trend analysis of the Storm Botnet to rebuild and reach 1 million PCs. This is shown in figure 1, given current analysis shows a growth from say 10,000 on Dec-22 to 30/40,000 by Jan-03, on a conservative analysis Storm should reach 1 million by Mid Feb 08.

So at least a we now have a potential game progress definition; for the RBN it would be a disappointment if they did not easily clear this target, for the community the aim is to limit the target. Game on?


To play this game we all better know the rules of deception, on a current assessment of progress against the innovative Storm elements:


# First the good news so far 2,147 fake and or infected Blogspots have been detected and are flagged by Google as shown in the StopBadWare clearing house.


# Further good news on checking most of the Storm attack domains (see list below) are either SBL or XBL listed on Spamhaus et. al.


# Some confusion in the ranks as assumptions are made as to locations or even selective attacks. As described elsewhere the botnet control panel(s) are now much more sophisticated, with the ability to decide which geographic region and areas to attack. Interestingly if the PC still subject to earlier infection there will be no further re-infection.
# As noted the polymorphic nature is clearly present to confuse i.e. the virus or exploits have the ability to alter its signature in an attempt to combat anti-virus tools.

# Most worrying is the constant stream of domains and the "fast-flux" technique used to avoid detection as mentioned in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses. This implies as fast as IPs are block listed, it would seem "Snort" which is capable of performing packet logging and real-time traffic analysis on IP networks, may at last demonstrate its earlier promise.

# Finally it is fairly safe to predict there will be further attacks on the search engines and via social engineering i.e. Face Book, etc.



The current Storm attack domains and related fakes (also ref links below: Malwaredomains, Emerging Threats, honeywall blog, and US Cert) although of limited number to begin with are now:

10000xing(dot)cn - 222360(dot)com - adslooks(dot)info - bnably(dot)com - eqcorn(dot)com - familypostcards2008(dot)com - freshcards2008(dot)com -happy2008toyou(dot)com - happysantacards(dot)com - hellosanta2008(dot)com - hohoho2008(dot)com - kqfloat(dot)com - ltbrew(dot)com - mymetavids(dot)com - obebos(dot)cn - parentscards(dot)com - postcards-2008(dot)com - ptowl(dot)com - qavoter(dot)com - santapcards(dot)com - santawishes2008(dot)com - siski(dot)cn - snbane(dot)com - snlilac(dot)com - tibeam(dot)com - tushove(dot)com - wxtaste(dot)com - yxbegan(dot)com


The specific Storm exploits have overlapped with fake anti-malware and fake codecs which are polymorphic in their nature:
ArcadeWorld(dot)exe - ArcadeWorldGame(dot)exe - ClickHere(dot)exe - codecnice1126(dot)dmg - codecnice1126(dot)exe - codecultra1123(dot)dmg - codecultra1123(dot)exe - ecard(dot)exe - fck2008(dot)exe - Flash_Postcard(dot)exe - FlashPostcard(dot)exe - Full Story(dot)exe - FullClip(dot)exe - FullNews(dot)exe - FullVideo(dot)exe - GreetingCard(dot)exe - GreetingPostcard(dot)exe - happy_2008(dot)exe - happy2008(dot)exe - Install_video_3913230(dot)exe - MoreHere(dot)exe - NflStatTracker(dot)exe - Postcard(dot)exe - Read_More(dot)exe - ReadMore(dot)exe - sony(dot)exe - stripshow(dot)exe - Video(dot)exe - VideoAccessCodecInstall(dot)exe - virusranger(dot)exe - vrsvc(dot)exe

Storm Growth analysis - German HoneyNet
Malwaredomains
Emerging Threats
US Cert